Blockchain based secure software updates for IoT devices

Abstract

Methods and systems for provable, auditable and secure software updates for resource-constrained IoT devices are provided via a security framework and a protocol for owner-controlled software updates for IoT devices through blockchain.

Claims

1. A method for updating software between a manufacturer and Internet of Things (IoT) devices of owners using a blockchain, comprising: (a) creating encryption keys for a software update and then further creating an encryption of the encryption keys; (b) storing on the blockchain: (p) the encryption of the encryption keys, (pp) an address of the encrypted software update; (ppp) a signature of a manufacturer, wherein the blockchain is defined as a distributed electronic database containing transaction records accessible over an Internet; (c) from an IoT device accessing the blockchain for (p), (pp) and (ppp); and (d) decrypting and installing the software update on the IoT device, wherein the installing updates the blockchain by creating an install transaction record on the blockchain, record the install transaction and encrypt the install transaction record making the install transaction record unchangeable.

2. The method as set forth in claim 1, further comprising encrypting the software update and storing the encrypted software update on a Cloud, wherein the Cloud is defined as a storage accessible over the Internet, and wherein the encrypting and storing is performed by the manufacturer.

3. The method as set forth in claim 1, further comprising the manufacturer notifying one or more owners regarding an availability of the software update for their respective IoT devices.

4. The method as set forth in claim 1, the one or more owners submitting a payment for the software update, wherein the payment transaction is via a software-coded secure transaction mechanism on the blockchain, wherein the transactions records stored on the blockchain are unchangeable upon creation of the transaction records, and wherein the unchangeability upon creation is enforced through cryptography.

5. The method as set forth in claim 4, further comprising the manufacturer auditing the software update of the IoT device by accessing the unchangeable install transaction record on the blockchain.

6. The method as set forth in claim 4, further comprising the one or more owners auditing the software update of the IoT device by accessing the unchangeable install transaction record on the blockchain.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 shows according to an exemplary embodiment of the invention an overview of Framework Data Flow and Components.

(2) FIG. 2 shows according to an exemplary embodiment of the invention an algorithmic process for the protocol step-by-step. FIG. 2 of the drawings in U.S. Provisional Patent Application 63/031,887, filed May 29, 2020, to which this application claims priority, and which is incorporated herein by reference, the reader will be able to see the same process with the additions of the steps in the figures. The text of the steps is removed from FIG. 2 for clarity and compliance in this application, but each of the steps is described in the text infra.

DETAILED DESCRIPTION

(3) The objective of the present invention is to provide methods and systems for provable and secure software updates for resource-constrained IoT devices. Accordingly, the inventors provide this via a security framework and a protocol for owner-controlled software updates for IoT devices through blockchain.

(4) The following aspects are key objectives/aspects of the invention. Embodiments of the invention: Categorize software updates to clearly identify the purpose of the update (security update, feature update, bug fix update, performance improvement). Leverage blockchains to provide a secure updating process while not generating overhead for IoT devices. Provide auditing (via blockchain) of the software updates for both the manufacturer and the owner of IoT devices. Use smart contracts to ensure the delivery of the software and financial transaction of fees and payment. Are suitable for securing resource-constrained (low CPU, low power, low internet connectivity) IoT devices with limited overhead. Offload higher CPU blockchain operations to the owner's device and to the blockchain itself.

Protocol Algorithm

(5) FIG. 1 shows an overview of Framework Data Flow and Components. FIG. 2 shows the Algorithmic Process for the protocol step-by-step. Embodiments of the invention ensure secure software that maintains fundamental security concepts of confidentiality, integrity, availability, authenticity, and accountability. The protocol is designed to ensure several key functionalities that do not currently exist. The ordering of the steps is essential to its security.

(6) The algorithm lends itself to parallelization. Several steps can be run at the same time without dependency on their ordering while also maintaining security. Current techniques are end-to-end sequential in nature.

(7) The smart contract creates a secure platform to guarantee payment of software and also the delivery of the software keys. Software that is paid for also has guaranteed delivery.

Security

(8) Security of the software update is covered in terms of confidentiality through encryption of the software update, and keys sent through blockchain to the owner. The key setup process exchanges keys for communication using an asymmetric cryptosystem defined as {KeyGen.sub.a(λ), E.sub.a(χ,k),D.sub.a(c,k)}. KeyGen generates a key. E.sub.a is the asymmetric encryption algorithm. D.sub.a is an asymmetric decryption algorithm. λ is the security parameter χ is the message (the software update b.sub.j or other data) c is the encrypted message k is a key

(9) Cryptosystems require input parameters which are a public key PK and a private (secret key) SK. The manufacturer and owner of the IoT devices create their key pairs to communicate securely between the manufacturer (PK.sub.mi, SK.sub.mi) and the owner (PK.sub.ol, SK.sub.ol). For this invention, this same methodology is used to establish a shared secret key between owner and manufacturer. The delivery of the keys through blockchain and the security of the framework algorithm is one of the innovations here.

(10) For the purposes of this invention, the software update b.sub.j for the device is encrypted using symmetric encryption E.sub.s using a key k.sub.bj. The key k.sub.bj itself is encrypted by E.sub.a(k.sub.b,PK.sub.ol) by the manufacturer using the public key PK.sub.ol of the owner and sent to the blockchain. Thus, the integrity of both the key k.sub.b and the software update b.sub.j is guaranteed. The key k.sub.bj and contents of the software update b.sub.j cannot be opened and cannot be changed.

(11) The integrity of the software update remains unaltered during communication. It is ensured through the use of cryptographic hashing. The cryptographic hash hEbj of the encrypted software update is sent to the blockchain as part of the update message (um). The cryptographic hash in one implementation could use the SHA3 algorithm, however is not limited to this specific algorithm.

(12) The update message is described as um=UID∥hEbj∥Ea(k.sub.bj, PK.sub.ol). The UID contains the version number of the software update. This prevents a rollback or roll forward attack. A rollback/forward attack is when an attacker pushes forward a valid software update to a less secure version of the software to enable a device to be attacked through known insecurities.

(13) Posting software updates using the steps in the invention through blockchain and cloud allows sensitive information to not have to be installed on an IoT device when it is manufactured. Installing information on a device during manufacturing is a common, but insecure practice for many current point-of-sale IoT devices at cash registers.

(14) To prevent impersonation attacks where a malicious actor impersonates a device's true manufacturer, embodiments of this invention leveraged a digital signature using ECDSA (elliptic curve digital signature algorithm) as it is both a secure and space-efficient algorithm for digital signatures.

(15) Through these methods, the security of the software update for the IoT devices is maintained.

Auditability

(16) The permanent and public record of the blockchain is leveraged for providing records that can be audited by the owner to know what versions of software are updated on which IoT devices. Moreover, the manufacturer can tell which devices are updated to better understand the security of the devices it has produced. This is particularly important in regulated environments (medical, automotive, power/electric) where individual safety is at risk.

(17) Auditability is accomplished in step 14 (FIG. 2) by sending the software update installation parameters to the blockchain to enable the manufacturer and the owner to permit audits. The proof of installation is recorded as E(i∥j∥o∥l, PKi)∥E(i∥j∥o∥l, PKol).

Smart Contract and Financial Transaction

(18) Smart contracts are software-implemented algorithms that describe an indivisible atomic transaction on the blockchain. The smart contract algorithm ensures the delivery of fees for the software and also the installation of the software on the device. The smart contracts guarantee that both monies are paid and the software is delivered. The blockchain nodes are also incentivized for servicing the software update through smart contracts. In addition, the performance of our smart contracts is highly efficient as they use hashmaps providing O(1) (constant) computational time complexity.

Common IoT Attack Prevention

(19) There are several common attacks against software updates and IoT devices that are prevented by the embodiments of the invention. Roll-back and roll-forward attacks are prevented by version information and by checking encrypted manifest information delivered to the owner. Replay message attacks by which malicious attackers replay valid messages are prevented through the framework's use of ECDSA signature algorithms. Malicious updates (altered updates) are prevented through confidentiality of encryption of data held in cloud and hashing algorithm to verify the integrity of the software. Sybil attack is defined by incentivization of blockchain nodes to grow a long highly secure blockchain. Denial-of-Service attack is prevented by protocol and IoT device maintaining valid and correct software updates.

(20) The Protocol defines 14 steps achieving the objective describes infra. Specifically, these steps are: Step 1: Manufacturer m.sub.i notifies owner o.sub.i of a new software update. Step 2: Owner o.sub.i accepts/approves the software update to occur. Step 3: Manufacturer m.sub.i uploads the symmetrically encrypted software update E.sub.s(b.sub.j,k.sub.b) to the cloud C. Symmetrical encryption is indicated by E.sub.s. Step 4: Manufacturer m.sub.i sends the smart contract to the blockchain payload node p.sub.k. Step 5: The blockchain payload node p.sub.k issues a request to the owner o.sub.l account for payment. Step 6: The owner o.sub.l account satisfies payment and pays the fee for the blockchain payload node p.sub.k. Step 7: The blockchain payload node p.sub.k collects their fee and sends payment to the manufacturer m.sub.i. Step 8A: Manufacturer m.sub.i uploads the update message “um” which is composed of UID (uniquely identifies the manfacturer), and SHA3 hash h.sub.Ebj of the software update, and the asymmetrically encrypted keys E.sub.a(k.sub.bj, PK.sub.ol). E.sub.a indicates asymmetric encryption. k.sub.bj is the encryption keys. PK.sub.ol is the public key of the owner. Step 8B: Manufacturer m.sub.i uploads the ECDSA signature σ indicated of the update message “um” to the blockchain. Step 9: Queries a blockchain payload node p.sub.k for the software update. Step 10A: The blockchain payload node p.sub.k sends the update message. Step 10B: The blockchain payload node p.sub.k sends the ECDSA signature σ to the owner o.sub.l, Step 10C: The owner o.sub.l requests the encrypted software update file from the cloud C. Step 11: The owner o.sub.l downloads the encrypted software update from the cloud C Step 12: The owner o.sub.l computes the SHA3 hash and compared it to h.sub.Ebj. If the hashes match, the owner decrypts the encrypted software update and sends the software update b.sub.j and the UID to the device d.sub.il. Step 13: The device d.sub.ij notifies the owner o.sub.l of the software installation completion. Step 14: The owner o.sub.l notified the payload node p.sub.k that the software installation occurred which is encrypted and recorded on the blockchain E.sub.a(i∥j∥o∥l, PK.sub.i)∥E.sub.a(i∥j∥o∥l,PK.sub.ol). This enables the manufacturer or owner to later perform an audit.